Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 284824 (CVE-2009-3125)

Summary: <www-apps/bugzilla-{3.0.9, 3.4.2} Mutliple vulnerabilities (CVE-2009-{3125,3165,3166})
Product: Gentoo Security Reporter: Christian Ruppert (idl0r) <idl0r>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: again, web-apps
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.bugzilla.org/security/3.0.8/
Whiteboard: B3 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 283947, 284059, 284064, 284166    
Bug Blocks:    

Description Christian Ruppert (idl0r) gentoo-dev 2009-09-13 21:33:57 UTC 
Please bump bugzilla to 3.4.2 and 3.0.9.
Reasons are CVE-2009-3125, CVE-2009-3165 and CVE-2009-3166.
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-09-24 15:17:55 UTC 
CVE-2009-3125 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3125):
  SQL injection vulnerability in the Bug.search WebService function in
  Bugzilla 3.3.2 through 3.4.1, and 3.5, allows remote attackers to
  execute arbitrary SQL commands via unspecified parameters.

CVE-2009-3165 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3165):
  SQL injection vulnerability in the Bug.create WebService function in
  Bugzilla 2.23.4 through 3.0.8, 3.1.1 through 3.2.4, and 3.3.1 through
  3.4.1 allows remote attackers to execute arbitrary SQL commands via
  unspecified parameters.

CVE-2009-3166 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3166):
  token.cgi in Bugzilla 3.4rc1 through 3.4.1 places a password in a URL
  at the beginning of a login session that occurs immediately after a
  password reset, which allows context-dependent attackers to discover
  passwords by reading (1) web-server access logs, (2) web-server
  Referer logs, or (3) the browser history.
Comment 2 Stefan Behte (RETIRED) gentoo-dev Security 2009-11-06 15:13:18 UTC 
*ping*
Comment 3 Robin Johnson archtester Gentoo Infrastructure gentoo-dev Security 2009-11-06 16:11:10 UTC 
bumped now since webapps hasn't.

You didn't ask for 3.2.5, but there was a 3.2.4 vulnerable as well, so I bumped that too.

Minimal keywording targets:
3.0.x: 3.0.10: alpha amd64 ia64 ppc ppc64 sparc x86
3.2.x: 3.2.5: alpha amd64 ia64 ppc sparc x86
3.4.x: 3.4.3: (none previously stable)

Should be good to ask for 3.4.x to be stabilized anyway, it's had ~60 days in testing for all arches except ppc64 (bug 284166).
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2009-12-11 13:30:14 UTC 
Arches, please test and mark stable:
=www-apps/bugzilla-3.2.5
Target keywords : "alpha amd64 ia64 ppc ppc64 sparc x86"
Comment 5 Brent Baude (RETIRED) gentoo-dev 2009-12-11 14:39:27 UTC 
ppc64 done
Comment 6 Tobias Klausmann (RETIRED) gentoo-dev 2009-12-13 15:45:52 UTC 
Stable on alpha.
Comment 7 Christian Faulhammer (RETIRED) gentoo-dev 2009-12-14 08:21:50 UTC 
x86 stable
Comment 8 Raúl Porcel (RETIRED) gentoo-dev 2009-12-26 11:32:53 UTC 
ia64/sparc stable
Comment 9 Joe Jezak (RETIRED) gentoo-dev 2009-12-27 09:40:20 UTC 
Marked ppc stable.
Comment 10 Markus Meier gentoo-dev 2009-12-31 18:14:20 UTC 
amd64 stable, all arches done.
Comment 11 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-05-31 07:35:00 UTC 
GLSA with bug 239564, bug 258592, bug 264572, bug 284824, bug 303437, and bug 303725.
Comment 12 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-06-04 05:17:36 UTC 
GLSA 201006-19